Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Susan Bradley
There is a lot of USA firm coding done outside our shores.  Thus the 
attitude you are reporting impacts the software I am buying both for my 
desktop as well as the upcoming cloud applications.

This is the part that concerns me.  As a consumer of code when it's in 
my possession I am then able to do what I can to augment the security of 
it.  When it's in the cloud, I'm depending on the vendor of the cloud to 
have thought about security .

We need to get to the place where you can come back in a few years and 
say that the culture has changed.

IMHO don't apologize.  It shows that we still need to get 
consumers/buyers of code to care that Developers are taught to care.

We have work to do.

Stephen Craig Evans wrote:
 Hi Gunnar,

 I apologize to everybody if I have come across as being harsh.

 From my 8 years of experience of living in Asia and being actively
 involved as a developer and working with developers (at Microsoft as
 its first .NET Regional Developer Evangelist in 2001 to recently at
 Symantec as the first Secure Application Services consultant for
 APAC), IMO there's a big gap between the maturity of software security
 here vs. Europe vs. West Coast USA vs. East Coast USA.

 The culture is different and even in the situation that a software
 developer cared and wanted to implement software security, in many
 countries they could get in a lot of trouble for upstaging their boss
 and making him or her lose face.

 The responsibility of secure software is not at the developer level in
 most cases, which is why I've spoken at regional IASA events
 (, with overwhelming positive responses, and will
 continue to try to reach the decision makers (as an OWASP
 representative) because trying to engage developers directly at this
 point in time at the maturity level of software security in APAC is
 not the most effective way to go about it. I'm sure, though, that at
 financial institutions they get it, but almost all of my clients are
 government and media/communications companies.

 Also, sorry to everybody for taking this thread off-topic.


 On Wed, Nov 26, 2008 at 2:24 AM, Gunnar Peterson [EMAIL PROTECTED] wrote:

 i spend at least half my time working directly with developers.

 for some reason i have not communicated as well as i should to you, what i
 am saying is that the job is too hard for developers *because* the security
 industry has let them down by sending them on a fool's errand of least

 the problem or target in your words IS with security people NOT developers.
 they have other problems just not an endless quixotic quest for least
 privilege. i am not repeat not throwing developers under the bus in this

 i am ready, willing and possibly able to be proven wrong on this point and
 maybe there is a cost effective way to deploy least privilege in the real
 world just want to make sure that i communicate my argument.

 (who is now letting go)

 On Nov 25, 2008, at 12:07 PM, Stephen Craig Evans wrote:

 I can't let this go.

 Gary, you are self-professed working with financial institutions and
 high-end customers.

 Gunnar, you are the same, at least what I gather from your Silver
 Bullet podcast when talking about the difference between SOA (top
 down) and Web 2.0 (bottom up).

 No flame war intended, but a healthy discussion should be in order.

 So please don't talk about developers as targets. They/we are the
 lowest on the totem pole. Direct your arrows at the people that you
 deal with. Plain and simple.


 On Wed, Nov 26, 2008 at 1:48 AM, Gunnar Peterson [EMAIL PROTECTED]
 look, i am a consultant. i work in lots of different companies. lots of
 different projects. i don't see these distinctions in black and white.
 sometimes the cto and managers are best positioned to help companies
 more secure software, sometimes architects, sometimes auditors, and many
 many times in my experience developers are best positioned.

 but i really, truly do not care who does it. my only goal is more
 security mechanisms and some pragmatic roadmap to get there. we are in
 infancy of this industry (think automotive safety circa 1942, all seat
 and brakes), we are in no position to turn away help from anyone who can
 help. every company and every project is different, if your organization
 set up so that developers are not empowered, but managers and CTOs are
 by all means work with them.

 but actually the main point of my post and the one i would like to hear
 people's thoughts on - is to say that attempting to apply principle of
 privilege in the real world often leads to drilling dry wells. i am not
 blaming any group in particular i am saying i think it is in the too
 pile for now and we as software security people should not be advocating
 it until or unless we can find cost effective ways to implement it.


 On Nov 

Re: [SC-L] Software Assist to Find Least Privilege

2008-11-25 Thread Susan Bradley, CPA
Aaron Margosis' Non-Admin WebLog : LUA Buglight 2.0, second preview:

Mark Rockman wrote:
 It be difficult to determine /a priori/ the settings for all the 
 access control lists and other security parameters that one must 
 establish for CAS to work.  Perhaps a software assist would work 
 according to the following scenario.  Run the program in the 
 environment in which it will actually be used.  Assume minimal 
 permissions.  Each time the program would fail due to violation of 
 some permission, notate the event and plow on.  Assuming this is 
 repeated for every use case, the resulting reports would be a very 
 good guide to how CAS settings should be established for production.  
 Of course, everytime the program is changed in any way, the process 
 would have to be repeated.

 Secure Coding mailing list (SC-L)
 List information, subscriptions, etc -
 List charter available at -
 SC-L is hosted and moderated by KRvW Associates, LLC (
 as a free, non-commercial service to the software security community.
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Susan Bradley, CPA
Why shouldn't they be asked to think about it?  Especially now.

I do.  I install Vista and find out how many of my apps don't like it.  
Go grab a copy of Luabuglight and watch Aaron Margosis' stuff.  Why 
should I as an Admin have to care about this stuff  after Developers 
that don't care about it code software?

Okay yeah so the management has to have the religion of it but if 
developers at their core do not care then IMHO I as a consumer of code 
need to ensure that they do.  You can't add it on afterwards, so if the 
developers doing the coding do not care because ultimately management 
does not, we still have a fundamental problem in the software industry.

Dana Epp's ramblings at the Sanctuary: Introduction to Microsoft's SDL 
Threat Modeling Tool:

He's a developer and he cares.  And he definitely cares about least priv 
and ensure that his code doesn't ask anything that it shouldn't.

Stephen Craig Evans wrote:
 It's a real cop-out for you guys, as titans in the industry, to go
 after developers. I'm disappointed in both of you. And Gary, you said
 One of the main challenges is that developers have a hard time
 thinking about the principle of least privilege .

 Developers are NEVER asked to think about the principle of least
 privilege. Or your world of software security must be very very very
 different from mine (and I think my world at least equals   yours but
 by about 2 billion people more, which might be irrelevant now but a
 little more relevant in the future :-)

 With the greatest, deepest respect to both of you,

 On Wed, Nov 26, 2008 at 1:01 AM, Stephen Craig Evans

 Developers have no power. You should be talking to the decision makers.

 As an example, to instill the importance of software security, I talk
 to decision makers: project managers, architects, CTOs (admittedly,
 this is a blurred line - lots of folks call themselves architects). If
 I go to talk about software security to developers, I know from
 experience that I am probably wasting my time. Even if they do care,
 they have no effect overall.

 Your target and blame is wrong; that's all that I am saying.


 On Wed, Nov 26, 2008 at 12:48 AM, Gunnar Peterson
 Sorry I didn't realize developers is an offensive ivory tower in other
 parts of the world, in my world its a compliment.


 On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote:


 maybe the problem with least privilege is that it requires that

 IMHO, your US/UK ivory towers don't exist in other parts of the world.
 Developers have no say in what they do. Nor, do they care about
 software security and why should they care?

 So, at least, change your nomenclature and not say developers. It
 offends me because you are putting the onus of knowing about software
 security on the wrong people.


 On Tue, Nov 25, 2008 at 10:18 PM, Gunnar Peterson
 maybe the problem with least privilege is that it requires that

 1. define the entire universe of subjects and objects
 2. define all possible access rights
 3. define all possible relationships
 4. apply all settings
 5. figure out how to keep 1-4 in synch all the time

 do all of this before you start writing code and oh and there are
 basically no tools that smooth the adoption of the above.

 i don't think us software security people are helping anybody out in
 2008 by doing ritual incantations of a paper from the mid 70s that may
 or may not apply to modern computing and anyhow is riddled with ideas
 that have never been implemented in any large scale systems

 compare these two statements

 Statement 1. Saltzer and Schroeder:
 f) Least privilege: Every program and every user of the system should
 operate using the least set of privileges necessary to complete the
 job. Primarily, this principle limits the damage that can result from
 an accident or error. It also reduces the number of potential
 interactions among privileged programs to the minimum for correct
 operation, so that unintentional, unwanted, or improper uses of
 privilege are less likely to occur. Thus, if a question arises related
 to misuse of a privilege, the number of programs that must be audited
 is minimized. Put another way, if a mechanism can provide firewalls,
 the principle of least privilege provides a rationale for where to
 install the firewalls. The military security rule of need-to-know is
 an example of this principle.

 Statement 2. David Gelernter's Manifesto:
 28. Metaphors have a profound effect on computing: the file-cabinet
 metaphor traps us in a passive instead of active view of
 information management that is fundamentally wrong for computers.

 29. The rigid file and directory system you are stuck with on your Mac
 or PC was designed by programmers for programmers — and is still a

Re: [SC-L] Microsoft's message at RSA

2008-05-05 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

And if you want to listen to it, there it is as well.

Gunnar Peterson wrote:
 Hi Gary,

 I think they are doing it, Cardspace is the key enabling technology to 
 making it happen. Given how many enterprises are federation-enabled (and 
 how simply the rest can be), the biggest missing piece right now is that 
 we need an Identity Provider for the Internets.

 Of course this only helps to solve the access control problem, not the 
 defensive programming problem, you can still shoot yourself in the foot 
 with SAML and WS-* (Brian Chess and I gave a talk on this at RSA). But 
 at least it will be nice to have the banks and brokerage houses stop 
 having people type their username and passwords into web browsers, and 
 then blaming the consumer when things go amiss.


 Gary McGraw wrote:
 hi sc-l,

 Here's an article about Mundie's keynote at RSA.  It's worth a read from a 
 software security perspective.  Somehow I ended up playing the foil in this 
 article...go figure.

 So what do you guys think?  Is this end-to-end trusted computing stuff going 
 to fly with developers?



 Secure Coding mailing list (SC-L)
 List information, subscriptions, etc -
 List charter available at -
 SC-L is hosted and moderated by KRvW Associates, LLC (
 as a free, non-commercial service to the software security community.

 Secure Coding mailing list (SC-L)
 List information, subscriptions, etc -
 List charter available at -
 SC-L is hosted and moderated by KRvW Associates, LLC (
 as a free, non-commercial service to the software security community.

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Re: [SC-L] Software security != security software

2006-12-12 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
The problem is that security software vendors including Symantec and 
McAfee have used the very same techniques for years in the name of good. 
Antivirus software and personal firewall software pulls all sorts of 
fancy kernel-interpositioning kung fu.

. and for every good. there is also a bad: 

The reason we need security software like antivirus tools and personal 
firewalls is that OSes have traditionally suffered from all kinds of 
security problems (both bugs and flaws).
Hmmm let's see lately we've had these bugs  
and these  and these and these ones and these 
and. well you get the idea that it's not just OS's that have 
security flaws.. sometimes it's the very things we buy to make us secure 
that have their own issues

Microsoft may be too responsible to manipulate its security defect 
density intentionally in order to create demand for its security 
software, but the fact that this is even possible is a great worry. This 
is like allowing the fox to design and build the henhouse, not just 
guard it.

Microsoft rogue developer says in development meeting of Forefront 
products:  Say... I think I'm going to manipulate security defects just 
'cause I want to drive more sales of Forefront products...yeah that's 
the ticket... 

Okay so with tinfoil in place... that's going to need a Security defect 
Density Product Manager (Microsoft doesn't do anything without a PM or 
two you know), at least an entire WagEd (Waggoner Edstrom [however you 
spell that] marketing division to do a 'spin' and marketing blitz on how 
Forefront needs to be the software of choice... numerous conference 
calls  and committee meetings, not to mention a User Interface testing 
... etc etc...

You know this reminds me of when my Dad would respond to the folks that 
said that the Government did fill in the blank such as kill Kennedy, 
pretend to go to the moon but really did not, and other assorted odds 
and ends.

1.  From the outside it appears that they are not that well organized to 
pull something like this off (it took them 5 years to get Vista out the 
door... do you honestly think that Microsoft can selectively code a 
security defect density without causing some other issue?  That the 
Forefront team gets together with the Vista team and the watercooler and 
swaps and coordinates places to put defects in?

2.  Do you honestly think there wouldn't be some honest whistle blower 
somewhere that wouldn't be on the Fox News Channel or Oprah in a heartbeat?

Is this possible?  When our own government put forth evidence of 
weapons of mass destruction and later it comes out there wasn't 
any...that showcases that people talk and the truth gets out. Maybe I 
just grew up too much in the era of Watergate and believe too strongly 
in the power of free speech... but it's a little hard for me to think 
that someone like MiniMicrosoft wouldn't be screaming their head off if 
someone in Microsoft even thought of such a thing. 

Someone would blog.  Trust me on that one.

Quite frankly, I've been burned a few times with those antivirus 
companies that have guarded my henhouse and have flagged things as 
viruses they shouldn't, and have brought my network to it's knees.  So 
even when they were protecting me, I've lost confidence in them too.

Right now my biggest concern is that we still aren't caring enough about 
software security at all.

Susan... who's convinced that the bad guys have gotten over these petty 
turf wars a long time ago and are way more cooperating/coordinating that 
the good guys are.

Gary McGraw wrote:
 Hi all,

 The furvor over Microsoft's entry into the security software business is
 confusing some people about their software security designs.   Or maybe
 people who know better are trying to confuse the market??!  Note word

 I wrote about this in my latest darkreading column that you can find



 This electronic message transmission contains information that may be
 confidential or privileged.  The information contained herein is intended
 solely for the recipient and use by any other party is not authorized.  If
 you are not the intended recipient (or otherwise authorized to receive this
 message by the intended recipient), any disclosure, copying, distribution or
 use of the contents of the information is prohibited.  If you have received
 this electronic message transmission in error, please contact the sender by
 reply email and delete all copies of this message.  Cigital, Inc. accepts no
 responsibility for any loss or damage resulting directly or